From 2c0ed076d538f783029fe350bafed5ec2a5b4b84 Mon Sep 17 00:00:00 2001
From: Uruk <contact@uruk.dev>
Date: Fri, 7 Nov 2025 22:35:53 +0100
Subject: [PATCH] fix(security): prevent log injection in WebSocket message
 logging

Sanitize WebSocket messages before logging to prevent log injection attacks.
User-controlled data from WebSocket messages could contain newline characters
that allow forging fake log entries.

Changes:
- Convert message object to JSON string and remove newlines/carriage returns
- Use format specifier (%s) for safe string interpolation
- Applied fix to providers/WebSocketProvider.tsx and hooks/useWebsockets.ts

Resolves CodeQL security alert js/log-injection

Co-authored-by: GitHub Copilot Autofix <noreply@github.com>
---
 hooks/useWebsockets.ts          | 4 +++-
 providers/WebSocketProvider.tsx | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/hooks/useWebsockets.ts b/hooks/useWebsockets.ts
index 32b110a4..8906f739 100644
--- a/hooks/useWebsockets.ts
+++ b/hooks/useWebsockets.ts
@@ -96,7 +96,9 @@ export const useWebSocket = ({
       | Record<string, string>
       | undefined; // Arguments are Dictionary<string, string>
 
-    console.log("[WS] ~ ", lastMessage);
+    // Sanitize output to avoid log injection
+    const msgStr = JSON.stringify(lastMessage).replaceAll(/[\n\r]/g, " ");
+    console.log("[WS] ~ %s", msgStr);
 
     if (command === "PlayPause") {
       console.log("Command ~ PlayPause");
diff --git a/providers/WebSocketProvider.tsx b/providers/WebSocketProvider.tsx
index 028a71e8..f74a2446 100644
--- a/providers/WebSocketProvider.tsx
+++ b/providers/WebSocketProvider.tsx
@@ -96,7 +96,9 @@ export const WebSocketProvider = ({ children }: WebSocketProviderProps) => {
     newWebSocket.onmessage = (e) => {
       try {
         const message = JSON.parse(e.data);
-        console.log("[WS] Received message:", message);
+        // Sanitize output to avoid log injection
+        const msgStr = JSON.stringify(message).replaceAll(/[\n\r]/g, " ");
+        console.log("[WS] Received message: %s", msgStr);
         setLastMessage(message); // Store the last message in context
       } catch (error) {
         console.error("Error parsing WebSocket message:", error);